| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Memory leak: p
Memory leak: tmp
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
| |
Variable "ct" going out of scope leaks the storage it points to.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
| |
Variable "sys_auth" going out of scope leaks the storage it points to.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
| |
Calling strncpy with a maximum size argument of 128 bytes on
destination array "options_ret->actual_mechanism" of size 128
bytes might leave the destination string unterminated
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
| |
Variable "gd" going out of scope leaks the storage it points to.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Olaf Kirch <okir@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There exits a possibility of an integer overflow in the
clnt_vc_create @ src/clnt_vc.c : 217 and
clnt_dg_create @ src/clnt_dg.c : 176.
In clnt_dg_create, the integer dtbsize is multiplied
with the size of the cond_t structure to get the total
number of bytes to be allocated.
The integer dtbsize is the value returned by a call to __rpc_dtbsize.
163: int cv_allocsz;
164: size_t fd_allocsz;
165: int dtbsize = __rpc_dtbsize();
176: cv_allocsz = dtbsize * sizeof (cond_t);
On a 32 bit version, the integer dtbsize is multiplied with the value 48.
The value returned by __rpc_dtbsize is the hard limit on the maximum
number of file descriptors which is 2^20 by default in my Ubuntu 16.04.
If this hard limit was increased to a value greater than 2^27,
this multiplication would overflow and result in a value smaller
than the expected size.
I understand that changing the hard limit on the maximum value of file
descriptors requires root privilege. But it would be reasonable
to double check this value before using it in calculations.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1600284
From: Jayakrishna Menon <jkrshnmenon@gmail.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
| |
Fixes: 5e7b57bc20bd ("rpcinfo: change order of version to be tried to 4, 3, 2")
Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Thomas Blume <Thomas.Blume@suse.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The cause is that the xdr_putlong uses a long to store the
converted value, then passes it to fwrite as a byte buffer.
Only the first 4 bytes are written, which is okay for a LE
system after byteswapping, but writes all zeroes on BE systems.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1261738
Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have a report that some commercial NFS file servers still do not
support rpcbind v4 correctly. They return GARBAGE_ARGS instead of
PROG_MISMATCH or PROG_UNAVAIL, so our rpcbind client now errors out
immediately instead of trying a lower rpcbind version.
To address this, convert the "if () else if () else if ()" to a
switch statement to make it straightforward to add new status codes
to the error processing logic. Then, add a case for
RPC_CANTDECODEARGS (the API status code used when the remote
responds with GARBAGE_ARGS).
Reported-by: Yuan-Yao Sung <yysung@cs.nctu.edu.tw>
Fixes: 5e7b57bc20bd ("rpcinfo: change order of version to be ... ")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Tested-by: Yuan-Yao Sung <yysung@cs.nctu.edu.tw>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Fix a socket leak introduced by commit 5e7b57bc20bd9cadff
(rpcinfo: change order of version to be tried to 4, 3, 2)
The new function __try_protocol_version_2 doesn't return
the client, so it can't be closed via CLNT_DESTROY in the
calling function.
Signed-off-by: Thomas Blume <Thomas.Blume@suse.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 46e04a73 changed clnt_create(3) not to
use reserve ports when binding a connection to
a server.
For certain legacy apps, like some of the NIS commands,
the client has to used reserve port to be able
to communicate with the server.
So the use of reserve ports in clnt_create(3)
has been restored.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When specifying TCP as transport on rpcinfo getport command (-T tcp),
the initial RPC getport packet is still sent as a UDP packet.
This is due to rpc protocol version 2 is tried first and
function getpmaphandle() states:
/*
* Try UDP only - there are some portmappers out
* there that use UDP only.
*/
Even on systems with newer rpc versions, this will hang when
the UDP port is blocked. That is a quite artifical limitation,
because UDP only portmappert should be really rare by now.
The attached code changes the order of versions to be tried
to 4, then 3 and use version 2 only as fallback.
Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Thomas Blume <Thomas.Blume@suse.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 2936f109590e add free()s on memory that
was allocated from the stack (via alloca()).
That type memory is automatically freed so
those added free()s was causing a double frees.
It was suggested allocating memory from the
stack can be a bit troublesome. So this patch
changes the memory allocation from the stack
to the heap which also eliminates the double frees.
Fixes: 2936f109590e ("clnt_dg_call: Fix a buffer overflow (CVE-2016-4429)")
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1552163
Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
| |
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1337142
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Prevent a caller of legacy RPC client and server APIs from
dynamically allocating a well-known port number, when no port number
is provided. This is similar to recent changes to svc_tli_create(3)
and clnt_tli_create(3).
BugLink: https://bugzilla.linux-nfs.org/show_bug.cgi?id=320
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Callers of clnt_tli_create(3) can specify that an arbitrary port
number be dynamically assigned for the client socket being created.
clnt_tli_create(3) tries bindresvport(3) first in this case.
bindresvport(3) chooses a reserved port if the caller has
CAP_NET_ADMIN_BIND privilege. If this fails, bind(2) is used to
assign a port number from the range above 1024.
This approach becomes a problem should bindresvport(3) or bind(2)
happen to choose the port number of a well-known service. If the
caller is a long-running service (like rpc.statd), it indefinitely
blocks the IANA-assigned well-known service for that port from
starting.
When using the AUTH_SYS authentication flavor, RPC services can use
the remote client's source port number to determine whether the
client is privileged, and thus the UID and GID numbers in the RPC
are trustworthy. However, it's pretty easy for a man-in-the-middle
to replace these values while the RPC is in flight. The source port
number is no guarantee of actual security.
Therefore, remove the bindresvport step, and instead of invoking
bind(2) directly, use a mechanism which allocates the port number
from the dynamic port range described in RFC 6335 Section 6.
This also impacts all users of clnt_tli_create(3) within the
library, such as clnt_tp_create(3), and the portmap/rpcbind clients.
BugLink: https://bugzilla.linux-nfs.org/show_bug.cgi?id=320
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Callers of svc_tli_create(3) can specify that an arbitrary port
number be dynamically assigned for the service listener being
created. svc_tli_create(3) tries bindresvport(3) first in this
case. bindresvport(3) chooses a reserved port if the caller has
CAP_NET_ADMIN_BIND privilege. If this fails, bind(2) is used to
assign a port number from the range above 1024.
This approach becomes a problem should bindresvport(3) or bind(2)
happen to choose the port number of a well-known service. If the
caller is a long-running service (like rpc.statd), the caller's
listener indefinitely blocks the IANA-assigned well-known service
for that port from starting.
Moreover, it seems that a reserved port is completely unnecessary
for listener sockets. It does not confer any extra privilege or
functionality to the listener socket, nor do remote clients infer
any extra privilege from a listener on a port number lower than
1024.
Therefore, remove the bindresvport step, and instead of invoking
bind(2) directly, use a mechanism which allocates the port number
from the dynamic port range described in RFC 6335 Section 6.
This also impacts all users of svc_tli_create(3) within the library,
such as svc_tp_create(3).
BugLink: https://bugzilla.linux-nfs.org/show_bug.cgi?id=320
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Create a helper function akin to bindresvport(3) that instead binds
to a dynamically assigned port using the rules in RFC 6335 Section 6
to avoid all IANA-assigned service port numbers.
This is intended to remain an internal helper for the time being, so
this commit provides no header declaration.
All internal bindresvport(3) call sites manufacture an INADDR_ANY-
type address to pass to bind(2), so the helper handles that as well,
to avoid code duplication. This means that callers do not need to
pass in a sockaddr. Only an open socket is required.
BugLink: https://bugzilla.linux-nfs.org/show_bug.cgi?id=320
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
It was pointed out that these to files have a
different licensing causes that the rest of
the library.
So this changes those clauses from GPL 2 to BSD-3
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
| |
Which prevents that key_secretkey_is_set will be exported.
Signed-off-by: Thorsten Kukuk <kukuk@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Thorsten Kukuk <kukuk@suse.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
As annotated in the bzero(3) man page, bzero() was marked as LEGACY in
POSIX.1-2001 and removed in POSIX.1-2008, and should be replaced with
memset() calls to write zeros to a memory region. The attached patch
replaces two bzero() calls and one __bzero() call in libtirpc with
equivalent memset() calls. The latter replacement fixes a compile error
under uclibc-ng, which lacks a definition for __bzero()
Signed-off-by: Joshua Kinard <kumba@gentoo.org>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
| |
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
| |
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The if condition, when true, can result in memcpy
overflow as source sizecan become greater than the
destination in memcpy. Modified the if condition
to prevent memcoy overflow.
Signed-off-by: ksourav <sourav.kir@gmail.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Now that the mutex is no longer held during possible connect(2) calls
in clnt_vc_create() it's possible for multiple threads to attempt the
connect concurrently.
So an EISCON error return is not failure case, handle it.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
| |
A multi-threaded application, connecting to multiple rpc servers,
may dead lock if the connect call stalls on a non responsive server.
Signed-off-by: Paulo Andrade <pcpa@gnu.org>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
| |
Unlikely to change, but stay in the safe side.
Signed-off-by: Paulo Andrade <pcpa@gnu.org>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
| |
Avoid hidding it under a macro, and also avoid multiple function
calls when accessing structure fields.
Signed-off-by: Paulo Andrade <pcpa@gnu.org>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Our des_impl.c has dependencies to glibc header files
and different arguments then our header file has.
Bring our own code in sync.
Signed-off-by: Thorsten Kukuk <kukuk@thkukuk.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
| |
Add des_impl.c to become independent of deprecated functions of glibc
Fixes: f17b44048003 ('Revert commit c0547c56dafb')
Signed-off-by: Thorsten Kukuk <kukuk@thkukuk.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
libtirpc needs rpcsvc/nis.h for compiling, but does not
provide this head file. It's only provided by glibc,
if the sunrpc code is not marked as deprecated, and
by libnsl. But libnsl needs libtirpc to compile...
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
| |
If we don't compile in YP support, don't include YP
Signed-off-by: Thorsten Kukuk <kukuk@thkukuk.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
| |
Log the reason why the clnt_call fails when debugging
is enabled.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
| |
With the port to poll, and endless loop can be created
when we run out of file descriptors. Remove the code
that tries to recover from that error
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
makefd_xprt() checks that the filedesriptor is lower than FD_SETSIZE.
But with tirpc now using poll(), this limitation does not exist anymore.
Remove the check completly.
Signed-off-by: Thorsten Kukuk <kukuk@thkukuk.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
| |
Add parameters to local prototypes to fix compiler warnings and avoid
portability issues about wrong compiler assumptions.
Signed-off-by: Thorsten Kukuk <kukuk@thkukuk.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
| |
Change rtime() function to use poll() instead of select().
Signed-off-by: Thorsten Kukuk <kukuk@thkukuk.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Remove old, meanwhile wrong comment about FD_SETSIZE and
_rpc_dtablesize().
Remove the local prototype for _rpc_dtablesize() but use
the public header instead.
Signed-off-by: Thorsten Kukuk <kukuk@thkukuk.de>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
After svc_sendreply() is done, release items allocated by the
svcauth_gss_accept_sec_context() call.
These two leaks occur on every GSS RPC request.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The xdr_bytes encoder malloc's a buffer if the passed-in struct
gss_buffer_desc is left empty. If a matching xdr_free() is not
done, that malloc'd buffer is leaked.
These two leaks occur on every GSS RPC request.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
svcauth_gss_accept_sec_context() and svcauth_gss_nextverf() were
overwriting xp_verf.oa_base with a dynamically-allocated buffer
that was never freed.
This resulted in a leak of many small blocks during each GSS RPC
request.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
If gss_import_name() worked, always release "name" before returning.
The "name" buffer is not visible outside of
svcauth_gss_import_name().
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
_svcauth_gss() already refreshes the server's credentials while
handling each RPC call. This overwrites the pointer to the
credentials acquired by rpc_gss_set_svc_name(), leaking them.
This is typically a one-time leak of about 16KB.
Fixes: c55a77516fd0 ('Add server-side rpc_gss_*() APIs')
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
It looks like in b2c9430f46c4ac848957fb8adaac176a3f6ac03f when svc_run
switched to poll, an early return was added, but the rwlock was not
unlocked.
I observed that rpcbind built against libtirpc-1.0.1 would handle only
one request before hanging, and tracked it down to a missing
rwlock_unlock here.
Fixes: b2c9430f46c4 ('Use poll() instead of select() in svc_run()')
Signed-off-by: Michael Forney <mforney@mforney.org>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Libtool will not even try to link a shared library on some systems
(e.g. Cygwin) if it is not told that there are in fact no undefined
symbols. But this fact is enforced on Linux, so we might as well
tell libtool about it as well.
Signed-off-by: Peter Rosin <peda@lysator.liu.se>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Internally, the xp_auth pointer is no longer needed. Nor should
new authenticators rely on it in the future.
No other libtirpc has this field. For better RPC application
portability, remove it.
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are lifetime problems with the current handling of SVCAUTH
and the core library has no business ever destroying an SVCAUTH.
These lifetime problems leads to the gss authenticator leaking
a SVCAUTH when interleaved calls on the transport arrive with
non-gss credential flavors.
So, plagiarize the Solaris solution and keep an inlined SVCAUTH
struct to make it obvious that the core library is not managing
the life of SVCAUTH. Then point the old xp_auth pointer to the
inlined SVCAUTH by default. This makes it possible to match the
Solaris macro SVC_XP_AUTH, while still remaining compatible with
any old external xp_auth pointer users.
Adjust the gss authenticator to keep track of its own gss data
per SVCXPRT. This is still not a good gss implementation, but it
is at least better than before.
Tested-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Peter Rosin <peda@lysator.liu.se>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
| |
|
|
|
|
|
| |
Move the SVC_VERSQUIET flag from xp_p3 into a extendable struct
Signed-off-by: Peter Rosin <peda@lysator.liu.se>
Signed-off-by: Steve Dickson <steved@redhat.com>
|
